Is Your PC Watching You?
New desktop snoopware products let anyone--boss, business partner, or spouse--track your PC habits.Bill Wallace and Jamie Fenton
If you lie awake at night fretting about personal privacy and your computer, consider this: The biggest threat may not be the government or the operator of the Web site you visited late last night, but your business partner, your boss, or even your spouse.
Products for monitoring desktop computers have been around for years. But until recently they were primarily designed for and marketed to large businesses that worried about employee misuse of Internet access and the company e-mail system. Now, a new wave of low-cost, easy-to-use monitoring products is available to home and small-business users. Dubbed snoopware, these products do everything their large-scale corporate cousins can--and in some cases, even more.
Spy on Them All
Advertising for these products makes their intended use crystal clear: "Secretly Record Everything Your Spouse, Children, and Employees Do Online," invites one firm. Another vendor promises to help "companies understand how employees use their computers, especially, how much time they spend for non-business purposes or in ways that could result in legal exposure for the organization."
PC World tested four snoopware products intended for home and small-business use: Insight, a $100 per seat product from Trisys; WinWhatWhere's Investigator ($99 for a single-user license); and SpectorSoft's EBlaster ($60 per package) and Spector 2.1 ($70 per package). Our conclusion: Though each does its job a little differently, all are extremely effective at surreptitiously recording activity on a computer, whether it's in an office or in the family room.
We also discovered that it's possible, though not easy, to determine whether you're being monitored. But unless you know just what to look for, and where (see "Countering Snoopware"), you may never know that someone else has been clandestinely observing your every keystroke.
Secret computer recording technology disturbs privacy advocates, who worry about possible abuse of spy software. For the moment, such software is virtually unregulated, and its use is spreading rapidly, especially in the corporate world. Earlier this year, an American Management Association survey of over 2100 member firms--many of them among the biggest in the country--found that 74 percent monitored employees' communications, including Internet use, e-mail, computer files, and phone calls (see the chart). That's more than double the percentage found in a similar survey in 1997.
Exactly how often snoopware monitoring occurs in small businesses and homes is unclear. But the rapid emergence of products targeting this market suggests that vendors see financial opportunity in people's mistrust of their own families and employees.
Adulteryware
Spector 2.1 from SpectorSoft is perhaps the best-known commercial snoopware aimed at home users. Company spokesperson Doug Fowler says that roughly 50 percent of the software's sales are made to people monitoring spouses, and at least 20 percent to people monitoring kids.
A memory-resident program, Spector 2.1 periodically captures screen shots of the desktop. Spector 2.1 can run in monitoring mode (with a small indicator visible on the screen) or in stealth mode (with no obvious indication to users that the program is in place).
By typing a special key combination and an optional password, the owner of the program can invoke a VCR-like display of actions the computer's users have taken, as well as log info and keystroke data. An options screen lets the owner choose how often to take screen shots, what color depth to record the grabs in, whether keystrokes should be captured, and so forth.
The program works by recording information in a specified folder inside the Windows directory. The files have uninformative names such as 4F0BF6D8.TPS.
Remote Snooping
To see the information a Spectorized computer has gathered, you must sit down at the machine--which could be awkward if the person you're keeping tabs on uses it all day long. To circumvent this problem, SpectorSoft has created EBlaster, a program that regularly sends e-mail reports of Spector 2.1's findings to a designated address. The reports include listings of each program executed, right down to the user keystrokes.
EBlaster can record anything transmitted from the host machine, even by popular chat software such as Instant Messenger and ICQ. It can also send screen shots.
The program works over networks and dial-up connections (even AOL) if the e-mail on the receiving end can handle attachments. Both Spector 2.1 and EBlaster require Windows 95 or later on computers that have 16MB of memory and 10MB of open disk space.
On-the-Job Spying
WinWhatWhere's Investigator software targets business users rather than the home market. Instead of taking snapshots of the user's desktop, it maintains detailed records of the times and dates when programs run and when keystrokes are entered on a computer. The program accumulates all of this data in an Access-compatible database, and it can either e-mail the information to the monitoring person or analyze it locally.
Registered owners can run the program in stealth mode. Under this arrangement, the software displays no toolbar tray icons or splash screens to hint that it is present and at work. Like most other snoopware, Investigator does not show up in Windows' Close Program list (which appears when you press Ctrl-Alt-Del) or in the Add/Remove Programs window.
If you're more interested in the big picture of a PC's use than in minute, exhaustive details, Insight from Trisys might do the job. This program monitors employees' use of their computers but does not capture pictures of the monitor display or record the incoming and outgoing text. Insight has both desktop and server components. On the desktop, a small monitoring-agent program observes user activity and periodically contacts the server to report on time spent by employees using various applications, including the number of mouse clicks and keystrokes entered.
Insight logs all Web pages the user visits--but only if Internet Explorer is the browser. It does not capture such precise details as the actual keys pressed or the contents of the Web pages. The server application can generate activity reports for individual workstations or for an entire workgroup. Basic reports show how much time employees have devoted to different applications; if Internet Explorer browsing is involved, you also get information on the Web pages that employees visited and the length of their visits.
Insight's server component runs on Windows NT 4.0 Server or Windows 2000. Trisys recommends using SQL Server to accumulate the statistics, another reason that Insight is more of a corporate or small-business application than a home product.
Good or Evil?
In the corporate world, snoopware has helped uncover crimes such as embezzlement and fraud, but the potential for abuse worries many civil liberties advocates, who view the new technology as eroding personal privacy.
"The changing structure and nature of the workplace has led to more invasive and often covert monitoring practices that call into question employees' most basic rights to privacy and dignity," Electronic Privacy Information Center executive director Marc Rotenberg said last summer in support of congressional efforts to curb such practices.
Virtually no laws currently restrict employer monitoring of PCs in the workplace, much less home use of snoopware.
Pending legislation to tighten these rules (see "Snoopware Bills in Congress") focuses on requiring notification of employees if their computer activity is being monitored, a disclosure not required today. Several federal bills also mandate court warrants for e-mail interception in criminal cases but are silent on the use of such tactics to monitor how employees work with PCs. The National Labor Relations Board recently ruled against employers who fired workers over e-mail messages that promoted union organizing and criticized workplace conditions--but even those rulings didn't attempt to restrict the monitoring itself.
In the past two years, Dow Chemical, Xerox, and other large employers have fired dozens of employees for surfing the Internet on company time or for sending and receiving improper e-mail. In most cases, the conduct was detected via snoopware. With the low-end products now available, small businesses--not to mention your own family--could emulate the practices of Fortune 500 companies.
So if you work in a small business or use your home PC for activities you'd prefer to keep private, you might investigate whether you're being monitored (see "Countering Snoopware"). You may not be able to stop the snooping, but at least you'll know whether you're under surveillance and can respond accordingly.
The moral: Big Brother may be nearer--and more familiar--than you think.
Workplace Monitoring Is on the Rise (chart)
| Employers' monitoring activity | 19971 | 19981 | 19991 | 20001 |
| Any type of monitoring activity | 35% | 43% | 45% | 74% |
| Record and review telephone conversations | 10% | 11% | 11% | 12% |
| Store and review voice-mail messages | 5% | 5% | 6% | 7% |
| Store and review computer files | 14% | 20% | 21% | 31% |
| Store and review e-mail messages | 15% | 20% | 27% | 38% |
| Monitor Internet connections | not asked | not asked | not asked | 54% |
| Video-record job performance | 16% | 16% | 16% | 15% |
Snoopware Bills in Congress
Congress is addressing the issue of computer surveillance in several bills, but none would make monitoring itself illegal. Here are the details:
H.R. 4908--Notice of Electronic Monitoring Act. Sponsor: Rep. Charles Canady (R-Florida). Would require companies to notify employees that their computers are being monitored. Pending version does not envision penalties for violators. Introduced July 6, 2000. Currently before the House Judiciary Committee.
H.R. 4987--Digital Privacy Act of 2000. Sponsor: Rep. Bob Barr (D-Georgia). Would add e-mail messages and stored computer communications to communications now covered by federal wiretap laws. Would exclude them as evidence in criminal cases if intercepted without probable cause that they related to a criminal act. Would establish a reporting requirement when e-mail evidence is sought in criminal cases, and would set time limits on nondisclosure of intercepts. Introduced July 27, 2000. Referred to House Judiciary Subcommittee on the Constitution.
H.R. 5018--Electronic Communications Privacy Act of 2000. Sponsors: Reps. Charles Canady (R-Florida) and Asa Hutchinson (R-Arkansas). Would extend existing federal statutes on interception of electronic communications to cover e-mail messages, requiring law enforcement monitoring to adhere to standards currently applicable to pen registers and telephone wiretaps. Would exclude e-mail evidence collected without probable cause. Introduced July 7, 2000. Sent to House floor.
I Put a Tail on You: Snooping by Satellite
Ever wondered where your lowest-producing salesman spends his time? Do you harbor dark suspicions about your spouse's unexplained absences?
Computer-monitoring software can snoop on people sitting at desks, but what if your target is mobile? You could play Dick Tracy and try to follow your suspect yourself. Or you could do what the government does: Use a satellite--or more precisely, 24 satellites, the array that makes up the Global Positioning System (GPS). Developed primarily for the U.S. military but now widely used for civilian activities such as aviation and trucking, the GPS provides highly accurate worldwide positioning and navigation information 24 hours a day. Security companies have found GPS trackers to be very useful, too--for example, to monitor couriers or track endangered corporate executives.
Now, the GPS is being used with products for nosy consumers: private eyes, spouses, parents, employers, or anybody else who wants to tail someone. TravelEyes from Advanced Tracking Technologies is one such virtual PI. Advertised as concealable, this $600 system includes a GPS receiver that's smaller than a pack of cigarettes, a magnetic mount antenna with a cable that plugs into the unit, and a cigarette-lighter power adapter. To connect the device, you can use an optional $12 cable for direct wiring to a fuse box or vehicle battery. The antenna can be hidden under the dashboard or seat.
The unit can record up to 20 hours of travel per use. You transfer data from the unit to a PC via serial cable. Your monitor displays a map that shows where the vehicle went, including street addresses for stops made, the time spent at a stop, and the total mileage involved.
In our tests of a shipping unit, the TravelEyes system performed perfectly. The customized maps that it produces are simple enough for anyone to figure out. Though it doesn't rank as high on the coolness scale as those tiny hidden tracker gadgets in James Bond flicks, TravelEyes works impressively well.
Countering Snoopware: What You Can Do
The best counterespionage tactic, obviously, is to refrain from conducting sensitive business or pleasure on equipment that other people can access. And never use company equipment for unauthorized activities. The courts have ruled, quite clearly, that employees do not have absolute privacy rights in their use of such equipment.
While not required to do so, honorable businesses will tell employees their policies on monitoring. But snoopware is available now to anyone willing to pay for it, including those with devious motives.
Although the snoopware available on the market today is specifically designed to go undetected by the PC's user, several methods can help you determine whether you are being surreptitiously monitored:
1. Check your computer's system folder for changes. All of the programs we evaluated make substantial alterations there. One good way to monitor the situation is to regularly use a backup program that generates a report detailing files that have changed.
Any unexplained changes in the system folder, particularly changes that involve.dll and.exe files, are cause for suspicion.
2. Look for alterations in the Registry. These are harder to spot than system folder changes, but you can use a Registry-editing tool--such as Registry Tool, by the company of the same name--to track changes and compare the reports it produces over time.
3. Watch out for odd file names that have the "hidden" property checked. Snoopware programs typically use deceptive file names and activate the "hidden" file property feature. Good backup programs see through this. To inspect manually, enable the Show All Files option, under the View tab in the Folder Options dialog box; this is accessible under the View menu in the Windows desktop or in Windows Explorer. Look around the drive, especially in the system folder, for files with faded icons. Be careful: Important, legitimate system files are often hidden to prevent accidental and disastrous erasure.
One last headache for privacy sleuths: The snoopware that you're trying to detect may be recording your detection efforts.
Here are the discoveries we made while evaluating the various products. Note that many programs allow the installer to change some of the file names involved, and that software developers are likely to change the names between versions deliberately to make lists like this obselete.
Spector
Spector 2.1 adds several files to the C:\Windows\System directory, including mswnsrvx.cnt, mswnsrvx.exe, mswnsrvx.hlp, shmswnmp.dll, and shmswnrc.dll (all of these are hidden files).
The easiest way to determine whether you are under surveillance by Spector is to check for the C:\Windows\System\WebExt directory, which contains files with names like "4F0BF6D8.TPS." There may also be a master log file called "_MSFILEA.TXT", which shows when each capture file starts. The WebExt directory isn't hidden, but it can be changed to another name to make it harder to detect.
EBlaster
The major EBlaster program file is the 468KB URLMKPL.DLL, in the Windows/System folder. Also added are msskfzwin.dll, msskfzwin.ocx, and winmsskfzwin.drv.
EBlaster must send e-mail outbound to report on you. Severing your network connection will cause reporting to be delayed.
Insight
Detecting an installation of Insight is pretty easy. The standard installation procedure leaves an entry in the Install/Uninstall control panel labeled "INSIGHT Client." Insight also uses several.dll files that all start with the characters isgt, including isgtCBHO.dll, isgtCLHK.dll, and isgtCLNT.exe. The default is to place them in the C:\isgt directory, although a wily administrator can easily conceal them elsewhere, like in the systems folder.
If your only concern is Web surfing security, an obvious countermeasure to being snooped is to use Netscape, which does not report the page being visited. However, this may itself be seen as suspicious behavior.
I came up with a simple hack for spoofing this program: Make a copy of Netscape.exe and rename it to something like "WinWord.exe" (put the duplicate in the same directory that Netscape.exe was in). Launch that duplicate, rather than Netscape.exe. This spoofs the monitor into thinking you are word processing instead of surfing.
Be careful though--in a place of employement it is common to use multiple layers of monitoring, so an employer might catch you at the firewall even if you fool the monitor by renaming Netscape.
Insight, like the TravelEyes GPS system, requires management to regularly run the reports and to cross-check them against other records, such as attendance records or vehicle odometers. Otherwise it is relatively easy to deceive them by renaming your browser or shielding the antenna.
WinWhatWhere
WinWhatWhere includes instructions for changing the name of the executable files involved. This makes it harder to detect the program by doing simple directory investigation. When unmodified, the files to look for are Windows/System/aa81232.exe, Windows/System/sem.exe, W3i.exe, W3ihist.exe, and W3isetup.exe. The data is captured in a file with a name like "zw83.dat" ("zw81.dat," "zw82.dat," and so on). I could not find a provision for changing the capture file naming, although that may be possible.
Some Final Points
Antivirus protection is always recommended. There are a variety of espionage tools circulating in the hacker underground, including a well-known one called "Back Orifice." An antivirus program will prevent such a tool from being inserted covertly via e-mail or the execution of infected software.
A good way to figure out what a cryptic.dll or.exe file name means is to type it into a search engine and go look at the links that come back.
If you wish to practice deception, buy a copy of the snoopware program for yourself and experiment with it on a machine entirely under your control. After you have figured it out in safety, you can try fooling your adversary.
Finally, it is always wise to "play dumb and act smart." If your adversary underestimates you, they are less likely to resort to sophisticated deceptions such as changing file names, and the job of protecting your privacy is easier.
--Jamie Fenton